Recently, my reading glasses broke. I tried to find a pair of frames that my perfectly fine lenses would fit into but had no luck. So I sent my lenses to a lab to be cut to fit the new frame.
In the end, I wound up with a usable pair of reading glasses. Along the way, I also met a very dedicated optometrist who truly cares about the quality of his customers’ vision.
Now, I have a degree in physics and know a thing or two about optics and the refraction of light. Of course, the optometrist had no way of knowing this as he presented a simple explanation about corrective lenses intended for a general audience. But I took away an important lesson from the exchange - about how important it is for us as security professionals to know our audience and tailor what we present to them accordingly.
Know Your Audience
Think about it: How often do we give the same presentation, regardless of who we are presenting to? But we shouldn't. I thought it would be helpful to highlight five audiences security professionals often present to and points that are helpful to remember when presenting to each.
- Business: When we talk to and work with a business, it is important we show them that we are partners. We need to help the business understand why it is in their best interest to work collaboratively with security. It helps to be able to communicate the cost of not including security - whether that cost involves money, availability, customer trust, or otherwise. Simply put, focusing on messages that do not address what the business is looking to hear will not yield improved collaboration between the security organization and the business.
- Security leadership: In most enterprises, the security leadership has a few high-priority initiatives. For each of these initiatives, they will need to show progress, accomplishments, and how these efforts are actively mitigating risk. As security professionals, when we present our efforts to our leadership, it helps to frame our work in terms of how we are helping our leadership meet their targets. We can translate our efforts into key performance indicators (KPIs) and key risk indicators (KRIs) that show how different efforts map to and roll up into the broader initiatives. This will allow us to produce informative metrics for our leadership that they can, in turn, take forward and roll up into higher-level reporting for company leadership. This builds confidence in security leadership and empowers them to improve the enterprise's security posture.
- Executives and the board: Business leaders generally focus on money. I’m not being critical when I say this - that is their job. A successful business will make a profit - the higher the profit and the better the margin, the better for shareholders. When we think about the enterprise from the perspective of executives and the board, risk is largely about money. When the business is exposed to a risk, security or otherwise, it can incur a large cost. Framing our security initiatives in terms of reducing and mitigating risk and then translating that into a monetary return on investment for the enterprise goes a long way toward communicating our value. It is a language that key stakeholders understand far better than if we were to rattle off technical details and evangelize different security issues.
- Partners: Most companies that partner are looking to make money together. The most successful partnerships are built on joint business interests and a strong foundation of trust. When speaking to partners, it is helpful to communicate how the security program makes the company one that partners can trust and can securely make money with. Convincing partners that the company is one that takes protecting its joint ventures seriously pays big dividends.
- Customers: Not all customers are aware of security breaches, fraud, and the widespread pilfering of personal data by attackers. For those that are, however, the security of their data is extremely important to them. When presenting to this audience, it is important to explain, in plain language, how security initiatives contribute toward this end. An easy-to-understand explanation of efforts to safeguard customer data goes a long way.
The greatest presentation will fall flat if not aimed at the correct audience. By knowing our audience and targeting our messages accordingly, we can more effectively communicate the security program's value. This will facilitate our efforts to build trust and collaborate, which, in turn, will allow us to build more effective security programs and improve the organization's security posture.